Further Reading

Coding blunder that exposed sensitive data may still be putting users at risk.

It has been four days since Mac users began learning of a critical vulnerability in the latest version of OS X that gives attackers an easy way to surreptitiously circumvent the most widely used technology for preventing Internet eavesdropping. Three days ago, Apple told Reuters that it plans to release a patch "very soon," but it didn't elaborate on the details.

If it wasn't clear before, it should be painfully obvious now. The security and privacy of millions of Mavericks users depend on a patch becoming available soon. The vulnerability is taking on renewed urgency given the increasing availability of proof-of-concept code that exploits it. On Tuesday, security consultant Aldo Cortesi was the latest to create working attack code that targets the bug. Other public sites that do much the same thing include gotofail.com and this test page, which is signed with a key that doesn't match the underlying transport layer security certificate. The proliferation of code makes life easier for less-skilled hackers who may want to exploit the vulnerability maliciously.

The "goto fail" bug—which gets its name from one of the lines of code responsible for the vulnerability—means that the encryption functions in a wide range of OS X applications can be tricked into using a key supplied by an eavesdropper rather than the secure one supplied by the e-mail or Web server an end user is connecting to. Apps including Safari, Mail, and FaceTime have all been confirmed to be affected by the vulnerability when running on Mavericks. When exploited, they will provide no indication to end users that anything is amiss.

Further Reading

Until a security update is available, there are several precautions people using Mavericks can take, although none of them are foolproof. One is to use apps that don't rely on the SecureTransport encryption layer. Google Chrome and Mozilla's Firefox browser and Thunderbird e-mail app are all immune to these attacks.

Another partially effective measure is to use a virtual private network, which will protect users against attacks originating on public Wi-Fi hotspots and other unsecured networks. Still, a VPN will do little to prevent attacks like those described in documents leaked by former NSA contractor Edward Snowden. Those attacks often rely on the ability of the National Security Agency to easily monitor and even manipulate data traveling over the Internet's backbone.

Promoted Comments

What is worse than bad with this whole story is that by failing to coordinate the release of fixes for all the affected operating systems, they have managed to endanger the security of milions of users. Coding errors are bound to happen (even if I think QA should have caught it...) but at least fix them in a orderly manner.

An OSX patch takes longer to validate than on iOS? Fine ! Just DON'T release one 1 week before the other damnit, even Microsoft doesn't do that !

Seeing as how the update is 769MB, it's safe to assume that there's a lot more in there than just this fix. In fact, I wouldn't be surprised if this fix was a last minute addition to 10.9.2 and that's why it took so long to get out as there was some level of regression testing needed to ensure it was good to go with the rest of the patch set.

Interesting to see standards people expect from online publications. Dunno. If Wall Street Journal prints a story and situation later changes I do not think they would destroy all copies and reprint with more up to date articles. They have tomorrow's journal for that. As long as article was factually correct when it went to print I think they should be fine. We can argue what is a reasonable cutoff time for modifying online articles after publication since it is much easier to make later changes. Personally I am fine with occasional 'Update:' paragraph at beginning of article.